lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAE=NcrYi2c8XaswXJOGENm7QLgps+OvYMVgz5-OTWud3f3a+Mg@mail.gmail.com>
Date:	Thu, 17 Oct 2013 15:20:15 +0300
From:	Janne Karhunen <janne.karhunen@...il.com>
To:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: 3.12.0-rc5+ reproducible crash at kernel/timer.c:1117

On Tue, Oct 15, 2013 at 10:41 AM, Janne Karhunen
<janne.karhunen@...il.com> wrote:

>> call_timer_fn 0x73/0x160 <--- EIP hits 0
>
> Use after free.. with CONFIG_DEBUG_PAGEALLOC &&
> CONFIG_DEBUG_OBJECTS_TIMERS we get :
>
> call_timer_fn 0x73/0x160
> destroy_timer_on_stack 0x20/0x20
> ftrace_raw_event_hrtimer_expire_entry 0x3b/0xc0
> run_timer_softirq 0x1f2/0x230

Sadly no time to hunt the free at the moment, so working around temporarily by

diff --git a/kernel/timer.c b/kernel/timer.c
index 4296d13..fc7ef44 100644
--- a/kernel/timer.c
+++ b/kernel/timer.c
@@ -1094,6 +1094,9 @@ static void call_timer_fn(struct timer_list
*timer, void (*fn)(unsigned long),
 {
        int preempt_count = preempt_count();

+       if (fn == NULL)
+               return;
+

Hoping someone wiser catches the real fix at some point.


-- 
Janne
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ